基于软件定义网络的Crossfire攻击防御方法

Crossfire Attack Defense Method Based on Software Defined Network

区别于常规的分布式拒绝服务攻击,利用僵尸网络发动的Crossfire攻击具有低速率不可区分的特性,这导致常规入侵检测系统难以防御此类攻击。针对该问题,设计一种检测防御Crossfire攻击的方法。该方法基于软件定义网络(SDN),首先利用网络瓶颈选择算法筛选出易受攻击的网络瓶颈节点与链路,在此基础上部署虚拟节点预防Crossfire攻击,虚拟节点应答可疑探测流,扰乱攻击者的攻击视图从而隐藏物理拓扑的网络瓶颈,并基于随机森林和双阈值自编码器检测僵尸网络,最后通过慢开始防御策略和局部快速重路由方法达到防御Crossfire攻击的目的。实验在SDN环境下进行,虚拟节点的部署能够使得瓶颈节点指标明显降低,构建的僵尸网络检测模型在精度、召回率、F1值等方面相较于传统随机森林分类模型提高近5个百分点,防御方法能够在10 s内达到缓解Crossfire攻击的效果。实验结果表明,相对其他方法,所提方法能有效检测并缓解此类攻击,且在此过程中基本不会影响到合法流量在物理拓扑中的正常转发。

Unlike conventional Distributed Denial of Service(DDoS)attacks,Crossfire attacks launched by botnets are low-speed and indistinguishable,making them difficult for traditional intrusion detection systems to defend against.To address this issue,a method for detecting and defending against Crossfire attacks is proposed,based on a Software Defined Network(SDN).The method involves several steps.First,a network bottleneck selection algorithm identifies vulnerable network bottleneck nodes and links.On this basis,virtual nodes are deployed to prevent Crossfire attacks.These virtual nodes respond to suspicious probe flows,distorted the attacker′s view,and obscured the network bottleneck in the physical topology.Botnet detection is performed using a random forest and a double-threshold autoencoder.Finally,a slow-start defense strategy and local fast rerouting method are adopted to mitigate crossfire attacks.Experiments conducted in an SDN environment show that deploying virtual nodes significantly reduces the bottleneck node index.The proposed botnet detection model performs approximately 5 percentage points better in terms of precision and recall compared to the traditional random forest classification model.The defense method effectively mitigates Crossfire attacks within 10 s.Experimental results show that the proposed method can effectively detect and mitigate such attacks in the SDN environment,with minimal impact on the normal forwarding of legitimate traffic in the physical topology.